nixos/acme: move the crt to fullchain.pem
lego already bundles the chain with the certificate,[1] so the current
code, designed for simp_le, was resulting in duplicate certificate
chains, manifesting as "Chain issues: Incorrect order, Extra certs" on
the Qualys SSL Server Test.
cert.pem stays around as a symlink for backwards compatibility.
[1] 5cdc0002e9/acme/api/certificate.go (L40-L44)
This commit is contained in:
Emily
parent
ea79a830dc
commit
8ecbd97f82
1 changed files with 3 additions and 3 deletions
|
|
@ -325,10 +325,10 @@ in
|
|||
KEY=${spath}/certificates/${keyName}.key
|
||||
if [ -e $KEY -a $KEY -nt key.pem ]; then
|
||||
cp -p ${spath}/certificates/${keyName}.key key.pem
|
||||
cp -p ${spath}/certificates/${keyName}.crt cert.pem
|
||||
cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
|
||||
cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
|
||||
cat cert.pem chain.pem > fullchain.pem
|
||||
cat key.pem cert.pem chain.pem > full.pem
|
||||
ln -s fullchain.pem cert.pem
|
||||
cat key.pem fullchain.pem > full.pem
|
||||
chmod ${rights} *.pem
|
||||
chown '${data.user}:${data.group}' *.pem
|
||||
fi
|
||||
|
|
|
|||
Loading…
Reference in a new issue